WinDealer dealing on the side

MITRE Techniques

• [T1189] Drive-by Compromise – Watering hole infections and social engineering to push updates and malware. Quote: “…watering-hole attacks (for instance, on local news websites) to infect their targets.”
• [T1218] Signed Binary Proxy Execution – WinDealer delivered through a signed executable (qgametool.exe) with a hardcoded update URL used to install/update malware. Quote: “…a signed executable qgametool.exe… This program contains a hardcoded URL that it uses to check for updates…”
• [T1547.001] Registry Run Keys / Startup Folder – Persistence via the RUN key in the Windows Registry. Quote: “set up or remove persistence (via the registry’s RUN key)”
• [T1027] Obfuscated/Compressed Files and Information – Embedded DLL is decoded with a 10-byte XOR key. Quote: “decode it using a 10-byte XOR key.”
• [T1046] Network Service Scanning – Network discovery performed via ping scans. Quote: “Network discovery via ping scan.”
• [T1082] System Information Discovery – Information gathering includes hardware details, network config, keyboard layout, running processes, and installed apps. Quote: “Information gathering: collecting hardware details, network configuration and/or keyboard layout, listing running processes, installed applications and configuration files of popular messaging applications (Skype, QQ, WeChat and Wangwang);”
• [T1057] Process Discovery – Listing running processes. Quote: “listing running processes”
• [T1572] Protocol Manipulation – Man-on-the-side capabilities imply intercepting and modifying in-transit data. Quote: “man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed.”
• [T1105] Ingress Tool Transfer – Downloading and uploading of arbitrary files as part of WinDealer operations. Quote: “Download and upload of arbitrary files;”